Security & Data Protection
Your data is safe.
How we handle, protect, and govern client data across every engagement.
Principles
- Minimum necessary access. We only touch the data required to deliver. Nothing more.
- Client ownership. Your data is yours. Always. We never claim rights to it.
- No data resale. Your data is never sold, shared, or made available to anyone.
- Client isolation. Every client gets a separate environment. No shared infrastructure between engagements.
AI & LLM Data Handling
☁️ Cloud AI (Primary — Anthropic Claude)
OAuth authentication. We use OAuth-based access — no API keys stored on client hardware. Authentication tokens are scoped and rotatable.
Zero data retention. Anthropic does not store inputs or outputs. Data is not persisted after processing.
No training on your data. Usage terms explicitly prohibit it.
Encrypted in transit. TLS 1.2+ on all calls.
SOC 2 Type II certified. Anthropic maintains full compliance.
🏠 Local AI (Available on Request)
For clients requiring full data sovereignty, we deploy open-source models on your hardware. Zero cloud dependency. No data leaves your network.
Best for high-sensitivity workflows. Available as a premium option.
Agent Systems
- Agent memory and files stored on client-controlled infrastructure
- Configurations, prompts, and workflows are client-specific and isolated
- Communication channels provisioned under client's own accounts
- Authentication via OAuth tokens — scoped, rotatable, no static API keys stored on client hardware
Encryption
| Layer | Standard |
|---|---|
| Data in transit | TLS 1.2+ |
| Data at rest | AES-256 |
| Credentials | Encrypted storage, never plaintext |
Access Controls
- Personnel: Only Brian Carrion and explicitly authorized team members access client systems
- MFA enforced on all accounts used to access client systems
- Offboarding: All data deleted or returned within 30 days. Access revoked immediately.
Incident Response
- Client notified within 24 hours of discovery
- Affected systems isolated immediately
- Root cause analysis and remediation documented
- Post-incident report delivered within 7 days
For Law Firms
We understand the unique obligations of legal professionals:
- ABA Model Rule 1.6: Our infrastructure supports your duty to protect client information. AI systems do not retain or expose privileged communications.
- ABA Formal Opinion 477R: We help firms meet their duty of competence regarding technology.
- Ethical walls: Agent systems can be configured with information barriers between practice groups or matters.
- Audit trail: Agent activity logs available for compliance review.
Agreements Available
- NDA — Mutual confidentiality protection
- DPA — Data processing obligations, retention, and deletion
- BAA — For engagements involving protected health information
- MSA — Governs engagement terms, IP ownership, liability
Certifications
| Certification | Status |
|---|---|
| SOC 2 Type II | Planned 2026 |
| HIPAA | BAA available |
| ABA Ethics Alignment | Documented & supported |
Questions about security? Email me to discuss your requirements.